4 Replies Latest reply on Oct 16, 2014 4:05 PM by VCampus-METCO

    Coresight 2014 Authentication

    VCampus-METCO

      I have installed coresight 2014 on a standalone VM running 3008 R2 OS. The server is .part of a test domain environment.

       

      The coresight app pools run under a domain service account. That account is trusted for delegation in AD, and I have setspn's for the account on the coresight server machine based on hostname and FQDN for HTTP.

       

      Coresight is installed on a new site that I created, on port 8080. The site itself has anonymous authentication enabled, and the coresight application beneath that has only windows authentication enabled, with enable kernel-mode athentication check box turned off under advanced settings and Negotiate being the top most provider.

       

      I have added users to the coresightusers group and coresigth admins group.

       

      I can logon to the coresight server under a domain account which belongs to the coresight users group locally using the URL http://localhost:8080/coresight. This does not prompt for a username/password.I can see in Network Connections on the PI Server that the w3wp.exe process is logged in using a mapping with my domain account and coresight service account shown.

       

      If I try the same thing from a separate test client PC on the same test domain using the URL  http://PI-IIS:8080/coresight or  http://PI-IIS.PIDemo.local:8080/coresight.  I am prompted for a username/password and no matter what I enter it will not give me access. Even though I am logged onto the test client PC with the same account that I am using on the coresight server directly. I am using IE 11 with windows authentication enabled in the browser,

       

      I have checked windows firewall and made sure that port 80 and 443 are allowed on the coresight server.

       

      Does anyone have any ideas as to why coresight does not work from my client.

       

       

        • Re: Coresight 2014 Authentication
          VCampus-METCO

          I solved the problem but don't really understand whether it is a valid solution or not.

           

          On the coresight server I had set the coresignt application to use windows authentication and to use Negotiate followed by NTLM as the order of authentication provider to use. When I switched these round to use NTLM then Negotiate it worked fine on both the coresight server and client.

           

          My understanding was that negotiate tried kerberos first then if that failed it would try NTLM, so why switching this round works I do not know. I used fiddler to monitor the traffic between the client and server and on the server itself and I could see kerberos authentication headers being sent and received.

           

          One other interesting point was that in PI Seerver I saw that the w3wp.exe connected as the user and coresight service account from the server machine. When you connect to coresight from the client under a different account should it show that users ID also in the user id list? Because it did not change. SO I am not 100% sure whether the second user was accessing data using the correct credentials or not.

           

          If anyone can explain what is going on here I would be very interested to know.

           

          Simon

            • Re: Coresight 2014 Authentication
              Marcos Vainer Loeff

              Hi Simon,

               

              I will transfer this case to TechSupport. They will contact you soon.

              • Re: Coresight 2014 Authentication
                rmeyskens

                In network manager statistics you should see the app pool user account and the windows user account from the client both connect to the w3wp.exe.

                 

                We have Coresight 2013. When we installed we created a new website and then installed the coresight app to that website. We have anonymous authentication disabled. Only windows authentication is enabled. Negotiate is listed first in the enabled providers properties.

                 

                It has been a couple of years, but I want to say we only got this to work when we created a dns entry for the specific website. Then created spn based off of the dns entry.

                  • Re: Coresight 2014 Authentication
                    VCampus-METCO

                    Randy,

                     

                    Thanks for the reply. I checked this again and I found that my SPN was pointing to the wrong server! I corrected this and set the authentication back to negotiate and immediately I was able to connect to coresight using both the machine name (remotey) and localhost from the server.

                     

                    I have seen the problem you mention before with DNS. On another project using the hostname did not work but the FQDN did.